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1. Introduction and Scope 


A general overview of our approach to records management is outlined in our Information 
Management Policy. The aim of the Retention and Disposal Policy is to outline the ICO’s 
approach to managing the retention and secure disposal of our information in line with our 
business requirements and legal obligations. 


There are various pieces of legislation which outline retention requirements. These include, 
but are not limited to: 


e Freedom of Information Act 2000 - including the Code of Practice Section 46 (FOIA) 
e The UK General Data Protection Regulations (the UK GDPR) 

e Data Protection Act 2018 (DPA 18) 

e Public Records Act 1958 

e Limitation Act 1980 

e Inquiries Act 2005 


The requirements outlined in this policy have been developed to provide a consistent 
approach to the retention and disposal of corporate information. This policy applies to all 
physical and digital information, regardless of storage location. 


2. Roles and Responsibilities 


All ICO staff are responsible for managing the information they create and receive as part of 
their normal daily business activities and should familiarise themselves with the Retention 
and Disposal Schedule. 


Specific records management responsibilities are also allocated to individual staff members 
and various committees and boards across our corporate structure, as detailed in our 
Information Risk Management Network. The following roles have additional responsibilities 
around retention and disposal: 


Information Asset Owners (IAO): IAOs ensure that all assets under their control are 
following retention schedule rules. They have ownership of the assets and are therefore 
responsible for ensuring adherence to the Retention and Disposal Schedule. IAOs are 
responsible for authorising the destruction of information when required. 


Information Asset Managers (IAM): IAMs assist the IAOs in their role and are 
operationally responsible for the upkeep of information assets, including adherence to the 
Retention and Disposal Schedule. 


Local Information Management Officer (LIMO): LIMO monitor compliance with the 
retention schedule, whilst encouraging and working with staff to ensure ongoing conformity. 
Alongside this, the LIMO reports to the IAM and IAO on compliance with the schedule within 
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their team. They also need to implement any changes required to the schedule in accordance 
with ICO procedure and work to improve compliance with the schedule where needed. 


Local Asset Administrator (LAA): LAA work with staff directly to ensure the retention 
schedule is adhered to, undertaking some work disposing of information and recording 
disposal where needed. The LIMO is likely to delegate instructions to the LAA to assist in 
improving compliance with the schedule. 


More information about the responsibilities of individuals in the Information Risk Management 
Network can be found in our Roles and Responsibilities guidance. 


3. Retention Periods 


Our retention periods are driven by legislation and/or business need. If there is no legally 
defined retention period for corporate information it is the responsibility of the relevant 
IAO(s) (with input from the Information Management & Compliance team) to determine an 
appropriate retention period. 


We assign clearly defined retention periods to our information to ensure it is kept for the 
appropriate length of time. Each retention period has three elements: 


e Trigger - the action which begins the retention period (e.g., ‘End of Financial Year’ or 
‘End of Employment’) 
e Retention period - the length of time the information will be kept 
e Action - either ‘review’ or ‘destroy’. 
o If the action is ‘review’ the information must be reviewed to ensure it is no 
longer required before destruction. Outcomes of a review may be - dispose, 
mark for permanent preservation, or temporary extension to review again at a 
future date. 
o If the action is ‘destroy’, this means the information can be destroyed without 
being reviewed in line with ICO procedure. 


3.1. Retention and Disposal Schedule 


Our Retention and Disposal Schedule sets out our retention periods. Information must be 
kept for the length of time defined in the Schedule unless there is a legal requirement to 
destroy it sooner. 


The Schedule is arranged by function, rather than by directorate. By following a functional 
approach we can ensure that the Schedule will not need to change in the event of 
organisational restructures and that information held by multiple directorates is only captured 
on the Schedule once. 
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Any proposed additions or changes to retention periods must be captured on this form and 
sent through to the Information Management & Compliance team. Significant changes may 
need to be signed off by the relevant IAO(s). 


The Schedule is reviewed on an annual basis by the Information Management & Compliance 
team with input from the Information Risk Management Network. Any queries about the 
Schedule should be raised with the Information Management & Compliance team. 


3.2. Weeding 


Not all information we create has long-term value. Our Retention and Disposal Schedule does 
not include redundant, obsolete or trivial (ROT) information. This should be destroyed 
periodically by each directorate as part of routine housekeeping. Approval or sign-off to 
delete ROT information is not required. 


‘Weeding’ does not apply to corporate records included in the Schedule, which should only be 
destroyed when they have reached the end of their retention period. 


Information should be weeded for two reasons: 


e To ensure that we are not wasting money or space (either digital or physical) by 
storing ROT information. 

e To make the process of reviewing and appraising records easier. Sifting through low- 
value records makes this process more time-consuming. 


Below are common examples of information which are usually of limited value once they are 
no longer in use and can be weeded through housekeeping. This should not be seen as an 
exhaustive list. 


Drafts - Draft documents lose value and can become obsolete once a final version has been 
published. However, on some occasions where significant changes or deviation have taken 
place, a draft may be retained to show how the final decision was made. 


Emails - Outlook has an automated retention policy that retains emails for 12 months. It is 
important that information assets are saved to shared spaces, to provide evidence of 
decisions made or action taken. Once a conversation has reached a significant point, any 
earlier emails from this chain can be deleted. 


Duplicates - We should not retain any duplications. Duplications can lead to multiple 
versions of information which can cause confusion. 


Research Material - Whether developing policy or preparing to give advice, research 
material may be created or collected such as notes or copies of guidance from external 
organisations. The value of this information decreases once the final version has been 
created. 


Information Management & Compliance 
Retention and Disposal Policy 
May 2022 v 7.10 


Limited Long Term Operational Value - Some information may be of importance for only 
a short period of time and then become redundant. This information should be weeded as 
soon as they are no longer required. 


Weeding should be done on a regular basis to ensure that clutter does not build up over time. 
It is up to each team to decide a reasonable schedule for housekeeping, based on their 
resources and the amount of information they generate. IAOs should encourage weeding on a 
regular basis. 


Weeding should cover all information the directorate stores, paper or digital, regardless of the 
System it is held on. This includes personal drives and desktops. 


4. Disposal 


4.1. Review 


When information has reached the end of its retention period it may need to be reviewed to 
ensure that it is no longer required. Information that has an action of 'destroy' on the 
Schedule can be disposed of securely without a review. Where possible, automated retention 
rules should be built into corporate systems. 


Where a review is required the IAO assisted by the IAM and LIMOs should consider the 
relevant information and decide whether it can be destroyed. If a high volume of information 
is being reviewed at once then this should be conducted at a macro level, i.e., not document 
by document. If information is marked for permanent preservation or subject to a legal hold 
it may be necessary to review every document. 


Information should only be retained beyond its retention period in limited circumstances. 
When conducting a review, the following factors should be taken into account: 


e Is the information required to fulfil statutory or regulatory requirements? 

e Is the information relevant to ongoing litigation / subject to a legal hold? 

e Is the information the subject of an information request or relate to information 
recently disclosed in a response? 

e Is retention required to evidence events in the case of a dispute? 

e Does the information fall under the selection criteria for permanent preservation and 
transfer to the National Archives outlined in the Selection and Appraisal Methodology? 

e Is the information required for a Public Inquiry? 

e Is there another demonstrable business need for retaining the information? 


If the information is deemed to still be required, an extension of two years is given, the 
information needs to be reviewed again at the end of the extension. 
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The retention period must not be extended indefinitely. You should contact the Information 
Management & Compliance team if you still intend to keep the information after applying the 
two-year extension period. 


4.2. Destruction 


When records are no longer required by the organisation and do not have archival value they 
should be securely destroyed. Destruction of records should not proceed without sign off from 
the relevant IAO. 


A record containing what has been destroyed, when it was destroyed and the individual who 
authorised the destruction should be created. A template Record of Destruction can be found 
here (please note that this link is only accessible to ICO staff.) 


Records should be destroyed with the level of security required by the confidentiality of their 
contents. For example, if records containing special category data or protectively marked 
papers have been shredded, the shredded paper should be handled securely and not dumped. 
Records awaiting destruction must be stored securely. 


Paper records should be placed into the confidential waste bins and documents stored on 
electronic systems should be deleted, including back-ups. Deletions should be carried out by 
someone with appropriate access to the system from which they are being deleted. Digital 
documents should be deleted and not overwritten. 


When information is destroyed, all copies of the information should be destroyed at the same 
time (both digital and physical). Information cannot be considered to have been completely 
destroyed unless all copies have been destroyed as well. 


4.3. Permanent Preservation 


Documents should be selected for permanent preservation if they meet the criteria specified 
in the Selection and Appraisal Methodology. 


Documents which have been marked for permanent preservation must not be destroyed. Any 
information which is selected for preservation should be clearly marked to ensure it is not 
destroyed accidentally. 


4.4. Legal Holds 


As a public authority the ICO is responsible for ensuring that any information under a legal 
hold is identified. A legal hold is the process of preserving all forms of information relevant to 
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legal proceedings. If a legal hold is in place there is a freeze on the destruction of any 
relevant material held by the organisation. 


A legal hold might be required if information relates to a Public Inquiry or if it pertains to any 
litigation that the ICO is involved with, such as an FOI Complaint which is subject to appeal. 
If you are unsure whether information in your possession falls under a legal hold, contact the 
Information Management Service for advice. 


When information falls under a legal hold it should be clearly marked as such so it is not 
accidentally included in any scheduled destruction. 


Under the Inquiry Rules 2006 those responsible for public records have a duty to make 
arrangements for the selection of any and all information they hold which contains or may 
contain content as identified in relation to an investigation. Appendix 1 shows the Public 
Inquiries that are currently open in the UK, or due to be opened soon. 


Following the closure of the inquiry, the information should be reviewed to determine how 
long it needs to be retained. 


Version History 


Version Date Amended by Comments 

3.1 20/01/18 Stuart Ashton First Draft 

4.0 24/05/18 Stuart Ashton Final Version 

4.1 14/08/18 Lesley Owen- Final Version, updated with minor 

Edwards amendments 

4.2 05/11/2019 Steven Johnston Update to Retention Schedule - 
Assurance and Customer Contact (Breach 
Reports) 

4.3 19/11/2019 Ben Cudbertson Added general annual leave information 
to HR section 

4.4 27/11/2019 Ben Cudbertson Split Live Chat Transcriptions' into 


"GCI/Touchpoint' and ‘Goss’ 
transcriptions. Changes retention of 
GCI/Touchpoint transcriptions from 2 
years to 90 days. 


4.5 06/01/2020 Steven Johnston Update to live chat transcript retention 
period. Amended from 90 to 100 days. 

4.6 03/02/2020 Steven Johnston Removal of 'text messages' entry in 
schedule 

5.0 07/04/2020 Steven Johnston Annual review and schedule updates. 

5.1 21/05/2020 Jennifer Matthews Addition to HR (Security Clearance 
Correspondence, Declaration of outside 
interests) 

5.2 16/06/2020 Ben Cudbertson Addition of Data Protection Fee 


Information - Paper records. Changed the 
trigger for Data Protection Fee 
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Information - Electronic Records from 
‘lapsed payment’ to ‘lapsed registration.’ 


24/06/2020 Steven Johnston Addition of Webinar / live event 
recordings 

13/10/2020 Ben Cudbertson Added Case Study to Comms section 

20/10/2020 Ben Cudbertson Changed Maternity, Paternity, Adoption 
and Sick Leave retention period from 3 
years to 4 years and changed trigger 
from ‘end of financial year after return’ to 
‘end of financial year’. 

13/01/2021 Ben Cudbertson Added digital direct debit scans 

19/02/2021 Ben Cudbertson Added car sharing information 

02/03/2021 Tiffany Higgins Changed Internal Guidance and LTT to 
date withdrawn from Creation. 

04/03/2021 Jen Matthews Added - Digital Mailroom instruction DP 
Fees scans 

11/03/2021 Jen Matthews Schedule under review - Updated: Legal 
Basis, Roles & Responsibility, IMS 
contact, Weeding 

06/04/2021 Jen Matthews Changes (including 2-year extension) 
confirmed 

04/06/2021 Steven Johnston Directorate name change throughout to 
Digital, IT and Business Services. 
Amendments to include this directorates 
TAQ 3b2 72:229 02419 Pe Only 
8.16, 10.2, 10.3, 10.4. Name change 
from GCI to Nasstar at 1.8. Addition of 
10.12. Retention period for 3.9 changed. 

09/08/2021 Tiffany Higgins Addition to HR section (MHFA Application 
Details and details of MHFA attendance to 
training) 

23/08/2021 Steven Johnston Addition of 2.10 and 2.11. 

25/08/2021 Steven Johnston Addition of 3.15, 3.16 and 6.21. 

08/09/2021 Tiffany Higgins Addition of 2.12 and 2.13. 

22/09/2021 Tiffany Higgins Removal of 1.9 

28/09/2021 Ben Cudbertson Major update of Retention and Disposal 
Policy following review. Amended 
retention periods for HPI inquiries (8.5- 
8.7) 

04/10/2021 Ben Cudbertson Change to retention period for 
communications with journalists (2.7) - 
increased from 12 months to 3 years 

7.2 11/10/2021 Ben Cudbertson Updated job titles for IAOs 

7.3 01/12/2021 Steven Johnston Addition of 6.22. 

7.4 02/12/2021 Ben Cudbertson Addition of 2.14. 

7.5 03/12/2021 Steven Johnston Change of IAO at 3.7. 

7.6 10/01/2022 Simon Lochery Addition of 11.13 - Staff photographs 
7.7 13/01/2022 Steven Johnston Addition of 1.9 Chatbot transcripts 
7.8 14/02/2022 Simon Lochery Addition of 6.23 - audio recordings 
7.9 26/04/2022 Steven Johnston Addition of 2.15 - Staff pulse surveys 
7.1 15/05/2022 Ben Cudbertson Updated section 4.2 - clarified that 


template is only accessible to ICO staff 
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Appendix 1 - Ongoing Inquiries 


Public Inquiry 


Information to be retained 


Independent Inquiry into Child Sexual 
Abuse (IICSA) Also referred to as the 
Goddard Inquiry. 


Any material including reports, 
reviews, briefings, minutes, notes and 
correspondence relating to the care of 
children in public or private care. 


Scottish Child Abuse Inquiry 


Any material including reports, 
reviews, briefings, minutes, notes and 
correspondence relating to the care of 
children in public or private care. 


Undercover Policing Inquiry 


Any material relating to undercover 
police operations conducted by 
English and Welsh police forces in 
England and Wales since 1968 in 
particular the collusion of the police in 
the blacklisting of trade union 
members. 


Upcoming Covid-19 Inquiry 


Further guidance yet to be issued by 
the Government. 
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Appendix 2 - Retention Schedule 


1. Communications Activities 


IAO 


Communications which 


may not directly fall 


under a function 


Retention Trigger | Retain For Action Retention 
Source 
1.1 Staff Mailboxes and Outlook Creation 12 months Destroy Business Need 
1.2 Physical Correspondence Once Scanned 6 months Destroy Business Need 
1.3 Internal Email Mailboxes Creation 12 months Destroy Business Need 
1.4 Customer Email Boxes Creation 12 months Destroy Business Need 
1.5 External Email Mailboxes Creation 12 months Destroy Business Need 
1.6 Unified Comms Instant Creation 7 days Destroy Business Need 
Messages 
1.7 Other Instant Messages Creation 7 days Destroy Business Need 
1.8 Nasstar/Touchpoint Live Chat Creation 100 days Destroy Business Need 
Transcriptions 
1.9 Chatbot transcripts Creation 12 Months Destroy Business Need 
1.10 | Calling Line Identification Creation 90 Days Destroy Business Need 
1.11 | Your Data Matters Pledge Creation Email Address: 1 month | Destroy Business Need 


Name and Organisation: 


12 months 
2. Corporate Communications and Marketing 
Retention Trigger | Retain For Action Retention Source IAO 

2.1 | Market Research Reports, Press | Last Action 6 years Review Business Need Director of Risk and 
Releases, Campaigns and Governance, Director of 
Projects, Informer, and Image Digital, IT and Business 
Banks Services 

2.2 | Staff Events and Briefings, Last Action 3 years Review Business Need Director of Risk and 
Public Engagement and Political Governance, Director of 
Monitoring Digital, IT and Business 

Services 
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2.3 | Conference Delegate Lists Last Action 400 days Destroy Business Need Director of Risk and 
Governance, Director of 
Digital, IT and Business 
Services 
2.4 | Webinar / Live Event Webinar Completed 1 month Destroy Business Need Director of Risk and 
Registration Governance, Director of 
Digital, IT and Business 
Services 
2.5 | Webinar / Live event recordings | Event completed 12 months Destroy Business Need Director of Risk and 
Governance, Director of 
Digital, IT and Business 
Services 
2.6 | Journalist Information Request of the Instant once | Destroy Business Need Director of Risk and 
Journalist to remove | requested Governance 
their information 
2.7 Communications with Journalists | Creation 3 years Destroy Business Need Director of 
Communications 
2.8 | Requests for Publications Creation 4 weeks Destroy Business Need Director of Risk and 
Governance 
2.9 | Case Study Publication date 3 years Review Business Need Director of 
Communications, Director 
of Digital, IT and Business 
Services 
2.10 | E-newsletter contact profile Last Action (ICO 6 months Destroy Business Need Director of 
stops sending its e- Communications. 
newsletter) 
2.11 | E-newsletter analytics Last Action 2 years Destroy Business Need Director of 
Communications. 
2.12 | Records of emails to main Creation 18 months Destroy Business Need Director of Digital, IT and 
contacts of DP Fees Register Customer Services 
2.13 | Email the Register - suppression | Completion of 12 months Destroy Business Need Director of Digital, IT and 
list emailing main Customer Services 
contacts of DP Fees 
Register 
2.14 | Customer Experience Survey Survey Closure 30 days Destroy Business Need Director of Public Advice 
contact information and Data Protection 
Complaints 
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2.15 | Staff Pulse Surveys Survey Closure 12 months Destroy Business Need Executive Director of 
Strategic Change and 
Transformation. 
3. Corporate Functions 
Retention Retain Action | Retention Source IAO 
Trigger For 
3.1 | Health and Safety Inspections, Last Action 6 years Review | The National Archives Retention Director of People and 
Property Management and Scheduling: Departmental Workforce Planning 
Asset Records Accounts, Health and Safety at 
Work Act 1974 and supporting 
Regulations, Limitation Act 1980 
3.2 | Documents relating to IT End of System 12 months | Review | Business Need Director of Digital, IT and 
system integral to their running | Life Business Services 
and long-term use 
3.3 | Records and Information Last Action 3 years Review | Business Need Director of Risk and 
Management Governance 
3.4 |IT Infrastructure Last Action 3 years Review | Business Need Director of Digital, IT and 
Business Services 
3.5 | Information Security Last Action 6 years Review | Business Need Director of Risk and 
Governance, Director of 
Digital, IT and Business 
Services 
3.6 | Information Requests Case Closed 2 years Destroy | Business Need Director of Risk and 
(Including MP request not dealt Governance 
with directly by the 
Commissioner) 
3.7 | Projects and Corporate Last Action 3 years Review | Business Need Exec Director Strategic 
Programmes Change and Transformation 
3.8 | Building Reports, Risk Assets, Last Action 3 years Review | Limitation Act 1980 Director of People and 
Helpdesk and Security Reports Workforce Planning 
3.9 |IT Back ups Last Action Up to 12 Destroy | Business Need Director of Digital, IT and 
months Business Services 
3.10 | System Audit Logs Last Action 12 months | Destroy | Business Need Director of Digital, IT and 
Business Services 
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3.11 | Casework Performance Last Action 2 years Destroy | Business Need Director of Digital, IT and 
Management Information Business Services 
3.12 | CCTV Last Action 1 month Destroy | ICO CCTV Policy Director of People and 
Workforce Planning 
3.13 | Reception Sign in Book End of Year 2 years Destroy | Business Need Director of People and 
Workforce Planning 
3.14 | Google Analytics Reports Last Action 38 months | Destroy | Business Need Director of Digital, IT and 
Business Services, Director of 
Risk and Governance 
3.15 | IT incident management reports | Last Action 3 years Review | Business Need Director of Digital, IT and 
from 3"? parties Business Services 
3.16 | IT helpdesk incident reports, Last Action 3 Years Review | Business Need Director of Digital, IT and 
service requests and knowledge Business Services 
base 
4. Corporate Governance 
Retention Retain For | Action | Retention Source IAO 
Trigger 
4.1 | Memorandum of Understanding End of 6 years Destroy | Business Need Director of Risk and 
Understanding Governance 
4.2 | Internal Committees and Groups | Minutes Agreed | 6 years Review | Business Need Director of Risk and 
minutes Governance 
4.3 | Commissioner's Delegated End of 6 years Review | Business Need Director of Risk and 
Authority, Briefings, Decision Commissioner's Governance 
Notes and Legal Advice Term 
4.4 | Corporate Governance Support Last Action 3 years Review | Business Need Director of Risk and 
Governance 
4.5 | Organisation wide Corporate Superseded 3 years Review | Business Need Director of Risk and 
Plans, Policies, Business Governance 
Continuity, Risk Management 
and Strategies 
4.6 | Elected Members End of 3 years Review | Business Need Director of Risk and 
Correspondences to the Commissioner's Governance 
Commissioner Term 
4.7 | Corporate Roles and Superseded 6 years Review | Business Need Director of Risk and 
Responsibilities Governance 
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5. Finance 


Retention Retain For Action Retention Source IAO 
Trigger 
5.1 | Financial Information End of Financial 6 years Destroy HM Treasury Director of Finance 
Year guidelines, National 
Audit Office advice, 
Companies Act 2006 
5.2 | Payroll Capita Reports End of Financial 6 years Destroy HM Treasury Director of Finance 
Year guidelines, National 
Audit Office advice, 
Companies Act 2006 
6. Human Resources 
Retention Retain For Action Retention Source IAO 
Trigger 
6.1 Employee Files and Personal End of 6 years Destroy The National Archives Director of People and 
Development Records Employment Retention Scheduling: Workforce Planning 
Employee Personnel 
Records and CPID 
6.2 | Disciplinary and Grievance, Last Action 6 years Destroy Limitation Act 1980 Director of People and 
Examination and Testing, Workforce Planning 
Accident, and Ill Health 
6.3 | Job Descriptions and Terms & Last Action 6 years Destroy Limitation Act 1980 Director of People and 
Conditions Workforce Planning 
6.4 | Training Material Superseded 6 years Destroy Limitation Act 1980 Director of People and 
Workforce Planning 
6.5 | Political Declarations Superseded or | 6 years Destroy The National Archives Director of People and 
End of Retention Scheduling: Workforce Planning 
Employment Employee Personnel 
Records and CPID 
6.6 | Industrial Relations Last Action 6 years Destroy Limitation Act 1980 Director of People and 


Workforce Planning 
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6.7 | Payroll Sheets End of 6 years Destroy HM Treasury guidelines, Director of People and 
Financial Year National Audit Office Workforce Planning 
advice, Companies Act 
2006 

6.8 | General Annual Leave End of 3 years Destroy The National Archives Director of People and 

Information Financial Year Retention Scheduling: Workforce Planning 
Employee Personnel 
Records 
6.9 | Maternity, Paternity, Adoption End of 4 years Destroy Statutory Sick Pay Director of People and 
and Sick Leave Financial Year (General) Workforce Planning 
Regulations 1982 
Statutory Maternity Pay 
(General) Regulations 
1986 
Statutory Paternity and 
Statutory Adoption Pay 
(Administration) 
Regulations 
2002 

6.10 | Successful Recruitment End of 6 months Destroy The National Archives Director of People and 
Candidate Information Employment Retention Scheduling: Workforce Planning 
(including third party referee Employee Personnel 
details provided by the Records and CPID 
applicant) 

6.11 | Unsuccessful Recruitment Last Action 6 months Destroy Limitation Act 1980 Director of People and 
Candidate Information Workforce Planning 
(including third party referee 
details provided by the 
applicant) 

6.12 | Staff Pension, Pay History, and From DOB 100 years Destroy The National Archives Director of People and 
Termination Reasons Retention Scheduling: Workforce Planning 

Employee Personnel 
Records 
6.13 | Health Surveillance Last Action 40 years Destroy Health and Safety at Work | Director of People and 
Act 1974 Workforce Planning 
6.14 | Third party emergency contact End of Immediate Destroy Business Need Director of People and 


details provided by the staff 
member 


Employment 


Workforce Planning 
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6.15 | Equality and Diversity Published | Last Action 6 years Review Public Sector Equality Duty | Director of People and 
Information Workforce Planning 
6.16 | Marriage Certificate and From DOB 100 years Destroy The National Archives Director of People and 
Documents relating to Civil Retention Scheduling: Workforce Planning 
Registration Employee Personnel 
Records 
6.17 | Medical/Self Certificates - End of absence | 4 years Destroy The National Archives Director of People and 
unrelated to industrial injury Retention Scheduling: Workforce Planning 
Employee Personnel 
Records 
6.18 | Security Clearance End of Security | 6 years Destroy Business Need Director of People and 
Correspondence Clearance Workforce Planning 
6.19 | Secondary Employment and Superseded or | 6 years Destroy Business Need Director of People and 
Outside Interests Declaration End of Workforce Planning 
Employment 
6.20 | Mental Health First Aiders Acceptance to 3 years Destroy Business Need Director of People and 
Application Form and Details of | MHFA Scheme Workforce Planning 
Attendance to MHFA Training 
6.21 | TMP profiles Last Action 1 year Destroy Business Need Director of People and 
Workforce Planning 
6.22 | Responses to recruitment Last Action 6 months Destroy Business Need Director of People and 
process feedback surveys Workforce Planning 
6.23 | Audio recordings of staff Created 12 months Review Business Need Director of People and 
interviews for National Workforce Planning 
Apprenticeship Week 
7. Legal 
Retention Retain For | Action Retention Source IAO 
Trigger 
7.1 | Legal Advice Last Action 6 years Review Limitation Act 1980 Director of Legal Services 
(Regulatory Enforcement), 
Director of Legal Services 
(Regulatory Advice and 
Commercial) 
7.2 | Enforcement Legal Cases Case Closed 6 years Review Business Need Director of Legal Services 
(Regulatory Enforcement) 
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7.3 | Contracts End of Contract | 6 years Review The National Archives Director of Legal Services 
Retention Scheduling: (Regulatory Advice and 
Contractual Records Commercial) 
7.4 | Unsuccessful Tenders Last Action 400 Days Review The National Archives Director of People and 
Retention Scheduling: Workforce Planning 
Contractual Records 
7.5 | Building Contracts and Leases End of Contract | 12 years Review Limitation Act 1980 Director of Legal Services 
(Regulatory Advice and 
Commercial) 
7.6 | Non-disclosure agreements Last Action 2 years Review Business Need Director of Legal Services 
(Regulatory Advice and 
Commercial) 
7.7 | Trademark documents Last Action 6 years Review Business Need Director of Legal Services 
(Regulatory Advice and 
Commercial) 
7.8 | Case summaries and Last Action 6 years Review Business Need Director of Legal Services 
background documents (Regulatory Advice and 
Commercial) 
8. Regulatory 
Retention Retain For | Action Retention Source IAO 
Trigger 
8.1 | Appeals Information Tribunal Case Closed 6 years Review Limitation Act 1980 Director of Legal Services 
(Regulatory Enforcement) 
8.2 |AII Criminal Enforcement Case Case Closed 6 years Review Limitation Act 1980 Director of Investigations, 
Director of High Priority 
Investigations & Intelligence 
8.3 | Civil Enforcement case where Case Closed 6 years Review Limitation Act 1980 Director of Investigations, 


8.4 


action was taken 


Civil Enforcement Case where 
no action taken 


Case Closed 


2 years 


Destroy 


Business Need 


Director of High Priority 


Investigations & Intelligence 


Director of Investigations, 
Director of High Priority 
Investigations & Intelligence 
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Complaints Physical items 
(items which cannot be scanned 


8.5 | HPI inquiry where regulatory Inquiry Closed | 6 years Review Limitation Act 1980 Director of High Priority 
action was taken Investigations & Intelligence 
8.6 | HPI inquiry where no regulatory | Inquiry Closed | 6 years Review Business Need Director of High Priority 
action was taken Investigations & Intelligence 
8.7 | HPI scoping activity that is not Scoping 2 years Destroy Business Need Director of High Priority 
progressed to an inquiry activity ceased Investigations & Intelligence 
8.8 | Gathered Intelligence Entered onto 6 years Review Business Need Director of High Priority 
Intelligence Investigations & Intelligence 
Log 
8.9 | Data Protection and FOI Case Closed 2 years Destroy Business Need Director of Public Advice & DP 
Complaints Complaints, Director of FOI and 
Transparency 
8.10 | Data Protection and FOI Case Closed 6 months Destroy Business Need Director of Public Advice & DP 


Complaints, Director of FOI and 
Transparency 


or returned) 
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8.11 | Cases relating to Section 159 of | Case Closed 6 years Destroy Limitation Act 1980 Director of Public Advice & DP 
the Consumer Credit Act 1974 Complaints 
8.12 | Audit, Advisory and Engagement | Case Closed 6 years Review Business Need Director of Regulatory 
Reports Assurance, Director of Digital, IT 
and Business Services 
8.13 | Audit and Engagement Case Closed 6 years Destroy Business Need Director of Regulatory Assurance 
supporting audit documents 
8.14 | Audit and Engagement Case Closed 3 Years Destroy Business Need Director of Regulatory Assurance 
supporting project documents 
8.15 | IPA audits and supporting audit | Case Closed 6 years Review Business Need Director of Regulatory Assurance 
documents 
8.16 | IPA related documents and Document 6 years Review Business Need Director of Regulatory Assurance 
correspondence created 
8.17 | NIS related documentation Document 6 years Review Business Need Director of Regulatory 
created Assurance, Director of Digital, IT 
and Business Services 
8.18 | Data Protection Fee Information | Lapsed 2 years Destroy Business Need Director of Digital, IT and 
- Electronic Records registration Business Services 
8.19 | Data Protection Fee Information | Date of 2 years Destroy Business Need Director of Digital, IT and 
- Paper Records payment Business Services 
8.20 | Data Protection Fee Information | Date Processed | 9 months Destroy Business Need Director of Digital, IT and 
- Digital Mailroom Scan (copy of | in digital Business Services 
paper records) mailroom 
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8.21 | Digital Scans of Direct Debit Date of 6 years Review Business Need Director of Finance 
Mandates payment 
8.22 | Breach Report - No action taken | Case Closed 2 years Destroy Business Need Director of Digital, IT and 
Business Services 
8.23 | Breach Report - where action Case Closed 6 Years Review Limitation Act 1980 Director of Digital, IT and 
was taken Business Services 
8.24 | Communications Data Document 5 Years Review Home Office: Director of Investigations, 
created Communications Data | Director of High Priority 
Code of Practice Investigations & Intelligence 
9. Regulatory - Internal Activities 
Retention Retain For | Action Retention Source IAO 
Trigger 
9.1 | Information created in relation Last Action 6 years Review Business Need Director of Regulatory Strategy, 


to new policies, guidelines, and 
research. This information has 
been created internally to guide 
decision making. This relates to 
any final drafts and significant 
supporting information 


Director of Regulatory Futures, 
Director of Legislative Reform, 
Director of Technology and 
Innovation Service, Director of 
High Priority Investigations and 
Intelligence and Director of 


Regulatory Assurance 


10. Stakeholder Engagement 
Retention Retain For Action Retention Source IAO 
Trigger 
10.1 | First Line Advice Services Case Closed 2 years Destroy Business Need Director of Digital, IT and 


Business Services, Director of 
Regulatory Strategy, Director 
of Public Advice & DP 
Complaints 
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10.2 


Engagement with significant 
stakeholders: This will include 
government departments, large 
companies, and charities as well 
as international work. 


Last Action 


6 years 


Review 


Business Need 


Director of Regulatory 
Strategy, Director of 
Regulatory Futures, Director 
of Legislative Reform, Director 
of Technology and Innovation 
Service, Director of 
International Regulatory Co- 
operation, Director of 
Investigations, Director of 
High Priority Investigations 
and Intelligence, Director of 
Regulatory Assurance, 
Director of Public Advice & DP 
Complaints, Director of FOI 
and Transparency, Director of 
Digital, IT and Business 
Services. 


10.3 


10.4 


Engagement with less significant 
stakeholders: Advice provided to 
smaller organisations with the 
advice only affecting small 
numbers. 


Guidance for External Use 


Last Action 


Superseded 


3 years 


6 years 


Review 


Review 


Business Need 


Business Need 


Director of Regulatory 
Strategy, Director of 
Regulatory Futures, Director 
of Legislative Reform, Director 
of Technology and Innovation 
Service, Director of 
Investigations, Director of 
High Priority Investigations 
and Intelligence, Director of 
Regulatory Assurance, 
Director of Public Advice & DP 
Complaints, Director of FOI 
FOI and Transparency, 
Director of Digital, IT and 
Business Services. 

Director of Regulatory 
Strategy, Director of 
Regulatory Futures, Director 
of Legislative Reform, Director 
of Technology and Innovation 
Service, Director of 
Regulatory Assurance, 
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Director of Digital, IT and 
Business Services. 


10.5 | Data Privacy Impact Last 6 years Review Business Need Director of Technology and 
Assessments Communication Innovation Service 

10.6 | Finalised Binding Corporate End of Contract | 6 years Review GDPR (Article Director of Regulatory 
Rules 47(2)(k)) Assurance 

10.7 | BCR Initial Assessment National 2 years Review Business Need Director of Regulatory 
Supporting Documents Authorisation Assurance 

10.8 | BCR Point of Contact and Legal After each 12 months Review Business Need Director of Regulatory 
Representation details annual update Assurance 

10.9 | Consultations: The ICO gathers Policy As soon as Destroy Business Need Director of Regulatory 
information externally through Published policy Strategy, Director of 
an open consultation in relation published Regulatory Futures, Director 
to a policy they are developing of Legislative Reform, Director 


of Technology and Innovation 
Service and Director of 
Regulatory Assurance 


10.10 | Sandbox - key documents Last Action 7 years Review Business Need Director of Regulatory 
Assurance 
10.11 | Sandbox - supporting Last Action 1 year Review Business Need Director of Regulatory 
documents Assurance 
10.12 | Consultations: SME feedback End of 1 year Destroy Business Need Director of Digital, IT and 
consultation Business Services 


11. Organisation Wide 


Retention Retain For Action Retention Source IAO 
Trigger 
11.1 | Significant Draft Versions: The Last Action 3 years Review Business Need These are generic documents 
draft versions of policies, advice, which sit within all 
and guidelines for significant areas departments for filling similar 
of work roles. Therefore, there isn't a 
11.2 Less Significant Draft Versions: Last Action 12 months Review Business Need specific Information Asset 
General drafts of documents Owner for this set of 
created for less significant work information, each owner's 
11.3 | Internal Audits Creation 3 years Destroy Business Need departments will have their 
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11.4 | Internal Guidance and Lines to Date 6 years Destroy Business Need own versions of these 
Take Withdrawn documents for which they 
11.5 | Templates, Procedures, Team Last Action 3 years Review Business Need will be the owner of. 
Information and Team Meetings 
11.5 | Annually Renewed Documents End of 3 years Review Business Need 
Financial Year 
11.7 | Department Logs and Registers Last Action 12 months Review Business Need 
11.8 | Team Administration Creation 3 years Review Business Need 
11.9 | Management Information End of 6 years Review Business Need 
Financial Year 
11.10 | General Content Types Last Action 12 months Review Business Need 
(SharePoint) 3 years 
6 years 
11.11 | Mobile device information for Creation 90 days Destroy Business Need 
visitor Wi-Fi use 
11.12 | Car Sharing Information Last Modified 12 months Destroy Business Need 
11.13 | Staff photographs End of Up to 12 Review Business Need 
employment months 
12. Transfer to The National Archives (For preservation) 
Retention Retain For Action Retention Source IAO 
Trigger 
12.1 | Information detailing what has Last Action 6 years Review The National Archives Director of Risk and 
been sent to the National Archives Information Management Governance 
(not transferred) Guidance 
12.2 | Section 170 DPA and Section 77 Case Closed Prepare The National Archives Director of Risk and 
FOI for Collection Policy, Public Governance 
Transfer Records Act 1958 
12.3 Publications and Material Creation Prepare The National Archives Director of Risk and 
for Collection Policy, Public Governance 
Transfer Records Act 1958 
12.4 | Management Board Minutes Last Action Prepare The National Archives Director of Risk and 
for Collection Policy, Public Governance 
Transfer Records Act 1958 
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12.5 | Senior Leadership Team Minutes Last Action Prepare The National Archives Director of Risk and 
for Collection Policy, Public Governance 
Transfer Records Act 1958 
12.6 | Executive Team Minutes Last Action Prepare The National Archives Director of Risk and 
for Collection Policy, Public Governance 
Transfer Records Act 1958 
12.7 | Upper Tribunal Case and Court of Case Closed Prepare The National Archives Director of Risk and 
Appeal for Collection Policy, Public Governance 
Transfer Records Act 1958 
12.8 | ICO Constitution Superseded Prepare The National Archives Director of Risk and 
for Collection Policy, Public Governance 
Transfer Records Act 1958 
12.9 | Office Wide Strategic Plans Superseded Prepare The National Archives Director of Risk and 
for Collection Policy, Public Governance 
Transfer Records Act 1958 
12.10 | Department of Culture, Media and Last Action Prepare The National Archives Director of Risk and 
Sport for Collection Policy, Public Governance 
Transfer Records Act 1958 
12.11 | Delegated Authority Last Action Prepare The National Archives Director of Risk and 
for Collection Policy, Public Governance 
Transfer Records Act 1958 
12.12 | Legal Advice to Commissioner Last Action Prepare The National Archives Director of Risk and 
(where it is directly relevant to for Collection Policy, Public Governance 
information rights policy) Transfer Records Act 1958 
12.13 | High Profile Casework (Further Case Closed Prepare The National Archives Director of Risk and 
guidance provided) for Collection Policy, Public Governance 
Transfer Records Act 1958 
12.14 | PECR Breach Logs Superseded Prepare The National Archives Director of Risk and 
for Collection Policy, Public Governance 
Transfer Records Act 1958 
12.15 | Interactions with key stakeholders | Last Action Prepare The National Archives Director of Risk and 
in relation to interpreting Data for Collection Policy, Public Governance 
Protection and Freedom of Transfer Records Act 1958 


Information Act, Code of Practice 
relating to acts, legislative 
development, and significant 
internal advice 
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12.16 


Civil Monetary Penalty Cases 


Case Closed 


Prepare 
for 
Transfer 


The National Archives 
Collection Policy, Public 
Records Act 1958 


Director of Risk and 
Governance 
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